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FOREWORD 


This is one of a set of seven reports, each one describing the 
results, for a particular subsystem, of a study titled "An Engineering 
Study of Onboard Checkout Techniques. " Under the general title of 
"A Guide to Onboard Checkout, " the reports are as follows. 


Volume 

IBM Number 

Subsystem 

I 

71W-00308 

Guidance, Navigation and Control 

II 

71W-00309 

Environmental Control and Life 
Support 

III 

71W-00310 

Electrical Power 

IV 

71W-00311 

Propulsion 

V 

71W-00312 

Data Management 

VI 

71W-00313 

Structures/Mechanical 

VII 

71W-00314 

R.F. Communications 

This set of guides was prepared from the results of a nine month 
"Engineering Study of Onboard Checkout Techniques" (NAS9-11189) 
performed under NASA contract by the IBM Federal Systems Division 


at its Space Systems facility in Huntsville, Alabama, with the support 
of the McDonnell Douglas Astronautics Company Western Division, 
Huntington Beach, California. 

Technical monitor for the study was Mr. L. Marion Pringle, Jr. 
of the NASA Manned Spacecraft Center. The guidance and support 
given to the study by him and by other NASA personnel are gratefully 
acknowledged. 


vii/viii 



Section 1 


INTRODUCTION 


1.1 OBJECTIVE 


With the advent of large scale aerospace systems, designers have recognized 
the importance of specifying and meeting design requirements additional to the 
classical functional and environmental requirements. These "additional" require- 
ments include producibility, safety, reliability, quality, and maintainability. 

These criteria have been identified, grown into prominence, and become disciplines 
in their own right. Presently, it is inconceivable that any aerospace system/ 
equipment design requirements would be formulated without consideration of 
these criteria. 

The complexity, sophistication and duration of future manned space missions 
demand that still another criterion needs to be considered in the formulation of 
system/equipment requirements. The concept of "checkoutability" denotes the 
adaptability of a system, subsystem, or equipment to a controlled checkout pro- 
cess. As with other requirements, it should also apply from the time of early 
design concept formulation. 

The results of "An Engineering Study of Onboard Checkout Techniques" and 
other studies indicate that for an extended space mission onboard checkout is 
mandatory and applicable to all subsystems of the space system. In order to use 
it effectively, "checkoutability" should be incorporated into the design of each 
subsystem, beginning with initial performance requirements. 

Conferences with researchers, system engineers and subsystem specialists 
in the course of the basic Onboard Checkout Techniques Study revealed an extensive 
interest in the idea of autonomous onboard checkout. Designers are motivated to 
incorporate "checkoutability" into their subsystem designs but express a need for 
information and guidance that will enable them to do so efficiently. 

It is the objective of this report to present the results of the basic study as 
they relate to one space subsystem to serve as a guide, by example, to those who 
in the future need to implement onboard checkout in a similar subsystem. It is not 
practicable to formulate a firm set of instructions or recipes, because operational 
requirements, which vary widely among systems, normally determine the check- 
out philosophy. It is suggested that the reader study this report as a basis from 
which to build his own approach to "checkoutability. " 
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1. 2 BASIC STUDY SUMMARY 


1.2.1 STUDY OBJECTIVE 

The basic study was aimed at, identification and evaluation of techniques for 
achieving the following capabilities in the operational Space Station/Base, under 
control of the Data Management System (DMS), with minimal crew intervention. 

• Automated failure prediction and detection 

• Automated fault isolation 

• Failure correction 

• Onboard electronic maintenance 

1.2.2 STUDY BASELINE 

The study started in July 1970. The system design baseline was established 
by the Space Station Phase B study results as achieved by the McDonnell-Douglas/ 
IBM team, modified in accordance with technical direction from NASA-MSC. The 
overall system configuration was the 33-foot diameter, four-deck, 12-man station. 
Individual subsystem baseline descriptions are given in their respective "Guide to 
Onboard Checkout" reports. 

1.2.3 STUDY TASKS 

The basic study comprised five tasks. Primary emphasis was given to 
Task 1, Requirements Analysis and Concepts. This task established subsystem 
baseline descriptions and then analyzed them to determine their reliability/ main - 
tainability characteristics (criticality, failure modes and effects, maintenance 
concepts and line replaceable unit (LRU) definitions), checkout strategies, test 
definitions, and definitions of stimuli and measurements. After software pre- 
liminary designs were available, an analysis of checkout requirements on the DMS 
was performed. 

A software task was performed to determine the software requirements 
dictated by the results of Task 1. 

Task 3 was a study of onboard electronic maintenance requirements and 
recommendations of concepts to satisfy them. Supporting research and technology 
tasks leading to an onboard maintenance capability were identified. The study 
implementation plan and recommendations for implementing results of the study 
were developed in Task 4. The task final report also summarizes results of the 
study in all technical tasks. 
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Reliability, Task 5, was very limited in scope, resulting in an analysis of 
failure modes and effects in three Space Station subsystems, GN&C, DMS (computer 
group) and RF communications. 

1.2.4 PREVIOUS REPORTS 

Results of the basic study were reported by task in the following reports, 
under the general title of "An Engineering Study of Onboard Checkout Techniques, 
Final Report. " 


IBM Number 


Title 

71W-00111 

Task 1: 

Requirements Analysis and Concepts 

71W-00112 

Task 2: 

Software 

71W-00113 

Task 3: 

Onboard Maintenance 

71W-00114 

Task 4: 

Summary and Recommendations 

71W-00115 

Task 5: 

Subsystem Level Failure Modes and 
Effects 
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Section 2 


BASELINE SUBSYSTEM DESCRIPTION 


2.1 GENERAL 


This section describes the baseline Guidance, Navigation and Control 
(GN&C) subsystems which was analyzed to define onboard checkout requirements. 
In order to assess requirements for onboard checkout, descriptions at the sub- 
system level and the assembly level are required, as well as the major interfaces 
between subsystems. 

The assembly level description for each of the subsystems (MSFC-DRL-160, 
Line Item 13) provided the primary working document for subsystem analysis. To 
reduce documentation, these documents have been incorporated by reference into 
this report, where applicable. Where no significant differences exist from the 
Phase B definition, this report contains a brief subsystem description and an 
identification of the referenced document containing the assembly level descrip- 
tions for that subsystem. Where significant differences do exist, the subsystem 
level description includes these changes. MSFC-DRL-160, Line Item 19, pro- 
vided the major subsystem interface descriptions for analysis of integrated test 
requirements. 

2.2 SUBSYSTEM LEVEL DESCRIPTION 

The GN&C Subsystem provides the following functions: 

• Orbit maintenance and change control 

• Zero-g operation stabilization and attitude control 

• Artificial-g operation dynamics and orientation control 

• Navigation 

• Command and monitor of rendezvous and docking 

• Experiment pointing support and positioning control 
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The GN&C Subsystem senses and generates the commands and data for these 
functions, and the Propulsion Subsystem and a part of the GN&C Subsystem (the 
control moment gyros) generate the actuation forces and torques for executing 
these functions. The sensing of Space Station position and its relative range and 
range rate with respect to other spacecraft are provided through the guidance and 
navigation functions , and the sensing of the Space Station attitude and angular rates 
are provided through the controls function. 

The Guidance, Navigation and Control Subsystem block diagram is shown in 
Figure 2-1. This subsystem consists of stellar -inertial sensors, horizon sensors, 
landmark trackers, range and range rate sensors, interface electronics, control 
logic and jet driver electronics, control moment gyros (CMGs) and associated 
electronics, and GN&C preprocessors. 

The GN&C Subsystem must accommodate both the artificial-g and zero-g 
operations of the Space Station. In the artificial-g mode of operation, the GN&C 
Subsystem provides spin control and wobble damping of the rotating Space Station. 
The horizon crossing indicator sensor provides an attitude reference for the spin 
plane of the artificial-g mode. The attitude gyro package provides the rate sig- 
nals necessary for the wobble damping function. In the zero-g mode of operation, 
the GN&C Subsystem provides autonomous navigation, rendezvous command, 
traffic control, automatic docking, and stabilization and control of the Space 
Station. 

The autonomous navigation scheme utilizes the stellar inertial reference data 
and the automatic landmark tracker augmented with the drag accelerometer. The 
navigation is accomplished by automatically tracking known and unknown landmarks 
several times each orbit. The landmark tracker is similar in operation and mech- 
anization to a gimbaled star tracker. The drag accelerometer accounts for anom- 
alies due to Space Station orientation and docked module changes which contribute 
to navigation errors. 

Both ground tracking and onboard subsystems will provide the navigation 
information for the first few years of the Space Station Program. The ground- 
generated data will be transmitted onboard for evaluation of the autonomous 
navigation system performance. As the confidence in autonomous operation is 
increased through this parallel operation, the ground tracking is to be phased out. 

The rendezvous and traffic monitor functions are accomplished through the 
use of a communication/ranging system for ranges up to 1, 000 nmi and with laser 
trackers within 110 nmi of the Space Station. The laser trackers are gimbal 
mounted to provide spherical coverage around the Space Station. 
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Figure 2-1. Guidance, Navigation, and Control Subsystem 
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For docking, each docking port is equipped with a laser docking transmitter/ 
receiver to provide for automatic docking capability. 

Attitude and rate information for attitude control and experiment support is 
determined by both Earth-centered and inertial orientations. 

In all operating modes and orientations, the gyros provide the high-frequency 
rate and attitude information necessary to supplement the data from the stellar 
sensors and the horizon sensors. The horizon sensors are used for initial ac- 
quisition of the Earth-referenced coordinates. They also provide a coarse Earth 
reference which is used when fine pointing or inertial attitude information is not 
required. 

A more accurate Earth-centered reference is obtained in the horizontal 
orientation through the use of the strapdown star sensors. The star sensors 
provide the long-term, drift-free inertial reference data while the gyros provide 
the short-term, high-frequency attitude and rate information. The passive star 
sensors are used while the Space Station is maintained in an Earth- centered 
orientation. The constant rotational rate required of the vehicle to maintain this 
type of orientation provides the scanning motion for the star sensors, which are 
completely passive and provide no tracking or scanning capability of their own. 

The sensors themselves provide inertial attitude data which is transformed into 
Earth- centered attitude information by use of the navigation parameters. By this 
method, both inertial attitude and Earth- centered attitude are derived from the 
passive star sensors while the vehicle is in the horizontal or other Earth-centered 
orientation. This Earth-centered orientation is considered to be the most re- 
sponsive to experiment and subsystem requirements. 

The gimbaled star trackers are primarily utilized whenever the Space Station 
is required to maintain an inertial orientation. Because of the lack of angular ro- 
tation of the Space Station in this orientation, the sensors must provide their own 
tracking and scanning capability to acquire and track the desired reference stars. 

Primary attitude control actuation is provided by control moment gyros 
(CMGs). A CMG configuration utilizing four double -gimbaled CMGs, each having 
a momentum capacity of 1, 100 ft-lb-sec, was selected for the isotope/Brayton- 
powered Space Station. Both high and low-thrust propulsion systems are utilized 
by the GN&C subsystem for CMG desaturation and backup attitude control capa- 
bility. The reaction jet driver electronics provide the interface with the Propul- 
sion Subsystem. 

Computational capability is provided by the Space Station operations multi- 
processor and the GN&C preprocessors. The preprocessors and the multi- 
processor provide the link between the sensors, which are used to determine 
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the vehicle angular position, and the actuators, which are used to maintain or 
change the vehicle angular position. The GN&C preprocessors perform the 
necessary data formatting in addition to routine data processing for the individual 
sensor subsystem. The Space Station operations multiprocessor performs the 
data processing necessary for all guidance, navigation, and attitude control 
functions. The interface electronics assemblies control the flow of information 
from the sensors to the GN&C preprocessors and condition all sensor inputs to 
standardized levels. The output from the GN&C preprocessors is then routed to 
the operations multiprocessor via the Space Station Data Bus. The interface 
electronics assemblies perform a similar function for output information from the 
computer to the control actuators. 

2.3 ASSEMBLY LEVEL DESCRIPTIONS 

Descriptions of the GN&C Subsystem assemblies are provided in the Space 
Station MSFC-DRL-160, Line Item 13, Volume I, Book 4, Utility Services. These 
descriptions include discussions of major assemblies, physical characteristics, 
block diagrams, and interfaces. DRL 13, Volume I, Book 2, is incorporated by 
reference into this report as a detailed description of the GN&C Subsystem major 
assemblies and will become the primary working document for further analysis. 
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Section 3 


RELIABILITY AND MAINTAINABILITY ANALYSES 

3.1 CRITICALITY ANALYSIS 

As a guide to emphasis in subsequent checkout technique studies, an analysis 
has been made of the overall subsystem and major component criticality (failure 
probability) of the Space Station subsystems and equipment. As an input to the 
Checkout Requirements Analysis Task, this data along with the failure mode and 
effects data will be useful in determining test priorities and test scheduling. 
Additionally, this data will aid in optimizing checkout system design to ensure 
that confidence of failure detection is increased in proportion to added system 
complexity and cost. 

3.1.1 CRITICALITY ANALYSIS PROCEDURE 

A criticality number (related to failure probability) was generated for each 
major subsystem component. This number is the product of: (1) the component 
failure rate (or the reciprocal of mean-time-between-failure), (2) the component's 
anticipated usage or duty cycle, and (3) an orbital time period of six months, or 
4, 380 hours. Six months was chosen as the time period of interest to allow one 
missed resupply on the basis of normal resupply occurring at three-month intervals. 
The criticality number, then, is the failure expectation for a particular component 
over any six-month time period. 

For visibility, the major components of each subsystem analyzed have been 
ordered according to the magnitude of their criticality numbers. This number, 
however, should not be considered as an indication of the real risk involved, since 
it does not take into account such factors as redundant components, subsystem 
maintainability, and the alternate operational procedures available. 

Overall subsystem criticality has been determined by a computerized 
optimization process whereby spares and redundancy are considered in terms of 
a trade-off between increased reliability and weight. This determination, there- 
fore, reflects not only the failure probability of subsystem components, but also 
the probability that a spare or redundant component may not be available to 
restore the subsystem to operational status. The methodology used is described 
in Section 9, Long-Life Assurance Study Results, DRL 13 (Preliminary Subsystem 
Design Data), Volume III (Supporting Analyses), Book 4 (Safety/Long Life/Test 
Philosophy) from the MDAC Phase B Space Station Study. Component-level failure 
mode and criticality data are presented in subsequent paragraphs. 
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3.1.2 SUBSYSTEM CRITICALITY DATA 


The Gui d a n ce, Navigation and Control (GN&C) Subsystem has a six -month 
reliability of 0.998 and requires 1,000 pounds of spares for its achievement. An 
ordered ranking of GN&C component criticality is provided in Table 3-1. 

3.2 FAILURE EFFECTS ANALYSIS (FEA) 

The procedure employed in this section is similar to that of the earlier FEA 
analysis, except that a distinction was made between "single" and "multiple" 
failures. The term "multiple failures" implies complete loss of the function under 
consideration. A description of the baseline subsystems is contained in Section 2. 

Generally, this FEA, coupled with other results, indicates that no failure 
modes exist which invalidate the onboard checkout concepts. It is noted that this 
analysis was conducted at the component level, commensurate with available 
Space Station subsystem design definition. 

The results of the Guidance, Navigation and Control (GN&C) Subsystem FEA 
are given partially in Table 3-2, as an example. 

3.3 MAINTENANCE CONCEPTS 

General maintenance concepts are discussed in Section 7. Those specifically 
applicable to the GN&C Subsystem are discussed below. 

The Guidance, Navigation and Control (GN&C) assemblies will be designed 
for maintenance at the modular level except for the precision sensor assemblies. 
The sensor assemblies, in general, will be replaced as a unit because of the tight 
mechanical tolerances involved in the assembly packaging. The instrument gyros 
shall be replaceable individually from the gyro assembly; and all gyros shall be 
interchangeable. Onboard calibration of the gyros shall be used to define their 
sensitive axis alignment. 

The various control and interface electronics shall be contained in 
standardized plug-in modules. 

The control moment gyros shall be located in pressurized (or pressurizable) 
compartments for ready access to maintenance. CMGs shall be designed for 
component repair/replacement capability. 
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Table 3-1. Guidance, Navigation, and Control Criticality Ranking 


Component 

Single Unit 
Criticality 
(10-6) 

Conditioned 
Loss Criticality 
(10-6) 

Remarks 

Attitude Gyro Assembly 

87,600 

760 

Considers backup for each of 3 gyros 

Sensor Interface 
Electronics 

72,000 

500 

Estimate based on internal redundancy and 
backup unit 

Star Sensor Assembly 

50,000 

300 

Considers horizon sensor assembly as degraded 
backup means of S/S reference 

CMG Electronics 

44,000 

50 

Includes risk that nonoperating electronics has 
failed 

Star Tracker Assembly 

41,800 

72 

Considers one operating and one nonoperating 
backup 

Control Moment Gyro 

21,900 

<100 

Two nonoperating CMGs 

Landmark Tracker 
Assembly 

8,800 

8 

Includes risk that nonoperating backup is failed 

Alignment Monitoring 
System 

8,800 

<10 

Considers backup spares failure risk 

Low-g Accelerometer 

8,780 

8 

Considers failure of nonoperating backup 

Horizon Detector 

7,200 

50 

Either detector can provide course attitude info 
during artificial-g 



Trackers and sensors mounted externally shall be designed for retraction to 
permit repair and replacement in a pressurized volume (shirtsleeve). To provide 
access to the sensor for maintenance, the sensor mount is remotely hinged into 
the unpressurized sensor bay. A hatch is positioned over the opening, sealed, and 
the sensor bay is pressurized. Then, an access hatch is opened from the common 
module to allow sensor maintenance. Sensor alignment and calibration are pro- 
vided by the calibration base, which is a structurally rigid element with alignment 
monitoring reflectors on the inside end and calibration targets on the outside end. 
After replacement and positioning of the sensor in its operational configuration, 
the alignment monitor determines the calibration base alignment. The sensor is 
then pointed to acquire the targets on the calibration base while the corresponding 
sensor outputs are read off for calibration. 

The laser docking trackers shall incorporate indicators at the docking safety 
officer station to indicate substandard performance with regard to critical 
parameters subject to maintenance control. 

3. 4 LINE REPLACEABLE UNIT ANALYSIS 


General guidelines and criteria for the definition of LRUs were established 
and these, with the maintenance philosophies, were used to determine at what 
level line maintenance would be performed. For the Space Station Subsystems 
specific justification applicable to LRU selection for the particular subsystem 
under examination was derived from the guidelines and these justifications are 
presented along with the LRU listing. The "functional LRUs" were then con- 
sidered in the light of the standard electronic packaging scheme and actual LRUs 
were defined and listed. The method employed and the results achieved are dis- 
cussed in the following sections. 

3. 4. 1 SPACE STATION SUBSYSTEM LRUs 

The definition of Line Replaceable Units (LRUs) is keyed to repairing sub- 
systems in an in-place configuration with the LRU being the smallest modular unit 
suitable for replacement. General factors considered in identifying subsystem 
LRUs include: (1) Space Station maintenance concepts; (2) the component -level 
failure rates delineated in the criticality analyses; (3) the amount of crew time 
and skill required for fault isolation and repair; (4) resultant DMS hardware and 
software complexity; and (5) subsystem weight, volume, location, and inter- 
changeability characteristics. Listings of LRUs and more specific justification 
for their selection follows. 

Guidance, Navigation and Control (GN&C) Subsystem LRUs are listed in 
Table 3-2. Their selection is influenced largely by the specialized functional 
characteristics of GN&C components and the state-of-the-art in their packaging. 
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Table 3-2. Guidance, Navigation, and Control LRUs 


LRU 

Quantity 

Required 

Standby 

Redundant 

Horizon Detector 

2 


Gyro Assembly 

Gyros 

6 


Gyro Electronics Assembly 

6 


Gyro and Accelerometer Mount Assembly 

2 


Gyro Power Supply 

2 


Horizon Sensor Assembly 



Horizon Sensors 

4 


Horizon Sensor Mount Assembly 

1 


Star Sensor Assembly 

Star Sensors 

2 


Star Sensor Mount Assembly 

2 


Star Tracker Assembly 

Star Trackers 

2 

1 

Tracker Electronics Assembly 

2 

1 

Tracker Mount Assembly 

2 

1 

Landmark Tracker Assembly 

Landmark Tracker 

1 

1 

Tracker Electronics Assembly 

1 

1 

Tracker Mount Assembly 

1 

1 

Accelerometer Assembly 

Accelerometer 

1 

1 

Accelerometer Electronics 

1 

1 

Rendezvous Tracker Assembly 

Tracker Assembly 

4 


Gimbal Mount Assembly 

4 


Electronics Assembly 

4 


Docking Tracker Assembly 

Tracker Assembly 

7 


Tracker Electronics Assembly 

7 
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Table 3-2. Guidance, Navigation, and Control LRUs (Continued) 


LRU 

Quantity 

_ . , Standby 

Required „ , , , 

Redundant 

Alignment Monitor Assembly (Sensors) 

Signal Transceiver 

2 


Signal Receiver 

2 


Alignment Monitor Assembly (Experiments) 

Signal Receiver 

2 


Signal Source 

2 


Interface Electronics Assembly 



Inertial Sensor Buffer Module 

2 

2 

Horizon Sensor Buffer Module 

1 

1 

Stellar Sensor Buffer Module 

1 

1 

Landmark and Alignment Sensor Buffer Module 

1 

1 

Laser Tracker Buffer Module 

2 

2 

CMG Control Buffer Module 

4 

4 

Reaction Jet Control Buffer Module 

2 

2 

Data Control Module 

4 

4 

Jet Driver Electronics Assembly 

High Thrust J et Driver Module 

4 


Resistojet Control Module 

4 


Backup Control Electronics Module 


2 

CMG Assembly 

CMG Rotor Gimbal Assembly 

4 

2 

Torquer Assembly (Inner Gimbal) 

4 

2 

Torquer Assembly (Outer Gimbal) 

4 

2 

CMG Electronics Assembly 

CMG Rotor Control Modules 

4 

2 

CMG Torquer Control Modules 

4 

2 
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Sensing devices used in the GN&C Subsystem are mainly electromechanical 
or electro-optical in nature, and are generally configured with a sensor and a 
separate electronics package. In addition, most precision sensing devices are 
mounted on or within a specially designed structure for tight alignment tolerances 
and environment control. Gimbal-mounted tracking sensors, for example, are 
replaced as a unit with the gimbals since the tight mechanical tolerances for the 
gimbals are expected to be only maintainable on the ground. 

Electronic assemblies which interface with the sensors, actuators, and data 
acquisition equipment of the Data Management Subsystem consist of groups of 
similar or identical circuits. These are modularized and replaced at the module 
level to take advantage of having a common spare configuration for several functions. 

Control Moment Gyro Assemblies (CMGs) are large electromechanical devices 
which are constructed for long life operation with tight mechanical tolerances. The 
only on-orbit repair capability planned for these assemblies is the replacement of 
torquer -resolver units. The mechanical tolerance level required for long CMG life 
requires further breakthroughs in design technology before bearings and rotor can 
be considered as being replaceable on orbit. 
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Section 4 


OCS CHECKOUT STRATEGIES 
4.1 SUBSYSTEM CHECKOUT STRATEGY 


Before further requirements analysis, it is necessary to develop a checkout 
strategy for all Space Station subsystems to meet checkout objectives, which can 
be summarized as follows: 


• To increase crew and equipment safety by providing an immediate 
indication of out-of-tolerance conditions 

• To improve system availability and long-life subsystems assurancy 
by expediting maintenance tasks and increasing the probability 
that systems will function when needed 

• To provide flexibility to accommodate changes and growth in both 
hardware and software 

• To minimize development and operational risks 

Specific mission or vehicle-related objectives which can be imposed upon 
subsystem level equipment and subsystem responsibilities include the following: 

• OCS should be largely autonomous of ground control. 

• Crew participation in routine checkout functions should be minimized. 

• The design should be modular in both hardware and software to 
accommodate growth and changes . 

• OCS should be integrated with, or have design commonality with, 
other onboard hardware or software . 

• The OCS should use a standard hardware interface with equipment 
under test to facilitate the transfer of data and to make the system 
responsive to changes. 

• Failures should be isolated to an LRU such that the faulty unit can be 
quickly removed and replaced with an operational unit. 
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• A Caution and Warning System should be provided to facilitate crew 
warning and automatic "safing" where required. 

• Provisions must be included to select and transmit any part or all 
of the OCS test data points to the ground. 

To attain these objectives via the use of an Onboard Checkout System which 
is integrated with the Data Management System, checkout strategies have been 
developed which are tailored to each Space Station subsystem. 

Special emphasis has been applied to a strategy for checkout of redundant 
elements peculiar to each subsystem. The degree to which each of these functions 
is integrated into the DMS is also addressed. 

4. 1. 1 SPACE STATION SUBSYSTEMS 

Each major Space Station subsystem was examined with respect to the re- 
quired checkout functions. The checkout functions associated with each subsystem 
are identified and analyzed as to their impact on the onboard checkout task. The 
functions considered are those necessary to verify operational status, detect and 
isolate faults, and to verify proper operation following fault correction. Specific 
functional requirements considered include stimulus generation, sensing, signal 
conditioning, limit checking, trend analysis, and fault isolation. 

4. 1. 1. 1 Guidance, Navigation, and Control Subsystem 

The Guidance, Navigation, and Control (GN&C) Subsystem contains the 
sensors, including gyroscopes, accelerometers, horizon sensors, star trackers, 
and landmark trackers, and the associated electronics required to provide attitude 
stabilization and navigation for the Space Station. The subsystem also includes 
laser devices for rendezvous and docking. 

4. 1. 1. 1. 1 Checkout Functions 

Checkout and fault isolation of the GN&C Subsystem involves a combination 
of operational limit and validity checks and functional testing. Normal operational 
monitoring utilizes the inherent self-verification capability of the subsystems 
which accrues from redundant and complementary attitude and navigational sensing 
features. Items such as gyros, accelerometers, horizon sensors, star sensors, 
star trackers, and landmark trackers are implemented redundantly, allowing 
cross-correlation of outputs from the multiple units. Further, certain of these 
sensors are complementary to each other, allowing an additional dimension of 
correlation. Star tracker outputs, for example, can be checked against landmark 
tracking data for validation. Fault isolation is accomplished by majority voting 
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techniques and by input/output functional testing using combinations of normal 
operational functions and artificial test stimuli. Examples of the latter include a 
simulated star source which is part of the star tracker assembly, torquing coils 
for stimulation of gyro outputs, and sensor output simulation signals for verifica- 
tion of downstream electronics. Other forms of operational monitoring include 
limit testing and trend analysis of selected performance parameters. 

• Stimulus Generation - Checkout stimuli are required to perform periodic 
subsystem functional tests and calibrations and to aid in fault isolation 
to the LRU level. Typical stimuli include gyro torquing signals, simu- 
lated detector outputs for the horizon sensors, star sensors, star 
trackers, landmark trackers, accelerometers, and various test stimuli 
for the associated electronics packages such as the jet driver logic. 
These are in addition to the normal control signals such as switching 
and gimbal commands. 

• Sensing - A detailed listing of measurement requirements is included in 
the Task 1 final report. 

• Signal Conditioning - Measurement signal conditioning is required to 
normalize the sensor outputs listed above. The required conditioning 
circuitry is provided as an integral part of the sensor assembly or in 
the Interface Buffers which provide the interface between the attitude 
and navigational sensors and the preprocessors. 

• Limit Checking and Trend Analysis - Continuous or periodic limit 
checking is required on a small number of parameters such as gyro 
temperature and CMG rotational speed, vibration, and bearing temper- 
ature. Trend analysis of the CMG functions is expected to be meaning- 
ful in predicting wearout or failure of these units. 

4. 1. 1. 1. 2 Redundant Element Checkout 

Redundancy in the GN&C Subsystem is predominantly in the form of installed 
and operational equipment such as redundant accelerometers, horizon sensors, 
star trackers, etc. The redundant equipment is normally on line and is imple- 
mented in such a way that it can be tested independently without disturbing sys- 
tem operation. It therefore presents no special problems from the checkout 
standpoint. An exception is the spare CMGs, which are installed in a standby 
(nonoperating) condition. The standby units must be tested periodically to assure 
availability. This periodic test will consist of a partial spin-up and gimbal check. 
Full speed spin-ups are not planned because of the long time (several hours) re- 
quired to achieve rated speed and because full speed is not necessary to verify 
operation. 
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4. 1. 1, 1. 3 Integration with Data Management Subsystem 

All control functions as well as the test sequencing and fault isolation for 
the GN&C Subsystem are performed by the DMS computer. Test stimuli generators 
and measurement signal conditioning are contained in the GN&C Subsystem. The 
subsystem interfaces with the DMS through the GN&C interface buffers. These 
buffers receive control information from the DMS in digital form and provide the 
necessary logic, signal routing, digital-to-analog conversion, and other functions 
required to control the GN&C equipment. The buffers also provide the multiplex- 
ing and analog-to-digital conversion required to translate the GN&C equipment 
outputs to digital formats compatible with the DMS interface. 


4.2 INTEGRATED CHECKOUT STRATEGY 

This analysis identifies the integrated checkout functions associated with 
Space Station subsystems during the manned orbital phase of the mission. These 
functions are depicted in Figure 4-1 and are those required to ensure overall 
availability of the Space Station. Characteristic of integrated testing is the fact 
that the test involves subsystem interfaces, and, therefore, test objectives are 
associated with more than one subsystem. 

4. 2. 1 INTEGRATED STRATEGY 

Six checkout functions have been identified: 

• Caution and warning 

• Fault detection 

• Trend analysis 

• Operational status 

• Periodic checkout 

• Fault isolation 


These functions represent a checkout strategy of continuous monitoring and 
periodic testing with eventual fault isolation to a line replaceable unit (LRU). 
Under this aspect the functions are grouped as - 


CONTINUOUS MONITORING PERIODIC TESTING 


• Caution and warning 

• Fault detection 

• Trend analysis 

• Operational status 


• Automatic tests 

• Operational 

Verification 


FAULT ISOLATION 

• Localize to SS 

• Isolate to RLU 
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Figure 4-1. Integrated Checkout Functional Flow 
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General characteristics of these groups are defined below: 


4. 2. 1.1 Continuous Monitoring 

Continuous monitoring is not a test per se. It is a concept of continuously 
sampling and evaluating key subsystem parameters for in/out -of -tolerance con- 
ditions. This evaluation does not necessarily confirm that the subsystems have 
failed or are operating properly. The evaluation is only indicative of the general 
status of the subsystems. For example, a condition exists where the integrated sub- 
systems are indicating in-limit conditions, but during the next series of attitude con- 
trol commands, an error in Space Station position is sensed and displayed. Since 
three subsystems, DMS, GN&C, and P/RCS, are involved in generating and 
controlling the Space Station attitude, a "positional error" malfunction is not 
directly related to a subsystem malfunction. The malfunction indication is only 
indicative of an out-of-tolerance condition of an integrated function. Final resolu- 
tion of the problem to a subsystem and eventually to LRU will require diagnostic 
test-procedures that are separate from the continuous monitoring function. 

There are situations in which the parameters being monitored are intended 
to be directly indicative of the condition of a subsystem or an LRU. Examples of 
these include tank pressures, bearing temperatures, and power source voltages. 
However, even in these simpler cases when a malfunction is detected, an integrated 
evaluation will be performed to ascertain that external control functions, transducers, 
signal conditioning, and the DMS functions of data acquisition, transmission, and 
computation are performing properly. This evaluation will result in either a sub- 
stantiation of the malfunction or identification of a problem external to the param- 
eter being monitored. 

Figure 4-1 shows the logic associated with each function in the continuous 
monitoring group, as well as the integrated relationships between these and the 
total checkout functions. The caution/warning and fault detection functions are 
alike in their automatic test and malfunction detection approaches, but are differ- 
ent in terms of parameter criticality and malfunction reaction. The caution/warn- 
ing function monitors parameters that are indicative of conditions critical to crew 
or equipment safety. Parameters not meeting this criticality criteria are handled 
as fault detection functions. Figure 4-1 shows that in the event of a critical mal- 
function, automatic action is initiated to warn the crew and sequence the sub- 
systems to a safe condition. Before this automatic action is taken, the subsystems 
must be evaluated to ascertain that the failure indication is not a false alarm and 
that the corrective action can be implemented. After the action is taken, the sub- 
systems must be evaluated to determine that proper crew safety conditions exist. 

Since automatic failure detection and switching can be integral to subsystem de- 
sign (self-contained correction) and subsystems can be controlled by the operation- 
al software or manual controls, it is imperative that the status of these events be 
maintained and that the fault detection and correction software be interfaced with 
the prime controlling software. For malfunctions that are not critical, the crew 
is notified of their occurrence, but any subsequent action is initiated manually. 
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The next continuous monitoring function, trend analysis, automatically ac- 
quires data and analyzes the historical pattern to determine signal drift and the 
need for unscheduled calibration. It also predicts faults and indicates the need 
for diagnostic and fault isolation activities. An example of a parameter in this 
category is the partial pressure of nitrogen. Nitrogen is used to establish the 
proper total pressure of the Space Station. Since it is an inert gas, the only make- 
up requirements are those demanded by leakage or airlock operation. The actual 
nitrogen flow rate is measured, and calculations are performed which make 
allowances for normal leakage and operational use. When these calculations 
indicate a trend toward more than anticipated use, the crew is automatically 
notified and testing is initiated to isolate the problem to the gas storage and 
control equipment or to an excessive leak path. The historical data is not only 
useful in predicting conditions but is also useful in providing trouble-shooting clues. 
The data might reveal, for example, that the makeup rate increased significantly 
after the use of an airlock. This could lead directly to verifying excessive seal 
leakage. 

The final continuous monitor function is in operational status. This function 
is performed by the crew and is nonautomatic with the exception of the DMS com- 
puter programs associated with normal Space Station operational control and 
display functions. The concept of continuous monitoring recognized and takes 
advantage of the crew's presence and judgment in evaluating Space Station per- 
formance. In many instances the crew can discern between acceptable and un- 
acceptable performance, and they can clearly recognize physically-damaged 
equipment or abnormal conditions. 

4. 2. 1.2 Periodic Testing 

As opposed to continuous monitoring, periodic testing is a detailed evalua- 
tion of how well the Space Station subsystems are performing. Figure 4-1 shows 
that periodic testing is not accomplished by any one technique. Rather, a com- 
bination of operational and automatic test approaches is employed. The actual 
operational use of equipment is often the best check of the performance of that 
equipment. Operation of Space Station equipment and use of the normal operating 
controls and displays will be used in detecting faults and degradation in the sub- 
systems. This mode of testing is primarily limited to that equipment whose 
performance characteristics are easily discernible, such as for motors, lighting 
circuits, and alarm functions. 

Automatic testing is performed in two basic modes: 

• With the subsystems in an operating mode, the DMS executes a diagnos- 
tic test procedure which verifies that integrated Space Station functions 
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are being properly performed under normal interface conditions in 
response to natural or designed stimulation. This mode of testing 
allows the evaluation of Space Station performance without interrupting 
mission operations. 

• For those situations where the integrated performance or interface 
compatibility between subsystems cannot be determined without known 
references or control conditions, the DMS will execute a diagnostic 
procedure in a test mode. In this mode, control, reference, or bias 
signals will be switched in or superimposed on the subsystems to allow 
an exact determination of their performance or localization of problem 
between the interfaces. Since the test mode may temporarily inhibit 
normal operations, the DMS must interleave the test and operational 
software to maintain the Space Station in a known and safe configuration. 

The scheduled automatic tests are performed to verify availability or proper 
configuration of "on-line" subsystems, redundant equipment, and alternate modes. 

• Periodic Verification of "On-Line" Subsystems - The first checkout 
requirement is a periodic verification that on-line subsystems are 
operating within acceptable performance margins. The acceptable 
criteria for this evaluation is based on subsystem parameter limits and 
characteristics exhibited during Space Station factory acceptance or 
pre-flight testing. The rejection criteria and subsequent decision to 
repair or reconfigure subsystems is based on the criticality of the 
failure mode. If the subsystems appear to be operating properly, but 
the test clearly indicates an out-of-tolerance condition, then one of the 
following alternatives must be implemented: 

If the failure mode is critical, the crew normally takes immediate 
action to isolate and clear the problem. 

If the failure mode is not critical, the crew can take immediate 
action, schedule the work at a later time, or wait until the condi- 
tion degrades to an unacceptable level. 

• Redundant Equipment Verification - A second checkout requirement is 
verifying that standby, off-line, or redundant equipment and associated 
control and switching mechanisms are operable. The acceptable/re- 
jection criteria for these evaluations is identical to those for normally 
operating equipment. A primary distinction of this function is that 
equipment may have known failures from previous usage or tests. This 
situation occurs when the crew has knowledge of a failure but has not 
elected to perform the necessary corrective action. The checkout 
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function then becomes one of equipment status accounting and main- 
tenance/repair scheduling. The status information is interlocked with 
mission procedures and software to preclude activation of failed units 
while they are being repaired or until proper operation following repair 
is verified. 

• Alternate Mode Verification - The third checkout function is verifying the 
availability of alternate modes of operation. This function is essentially 
a confidence check of the compatibility of subsystems'interaction and 
performance during and after a change in the operating mode. To some 
extent this function overlaps with redundant equipment verification, but 
is broader in scope in that it verifies other system-operating character- 
istics. For example, some modes will involve manual override or 
control of automatic functions or automatic power-down sequences. 

4. 2.1.3 Fault Isolation 

Fault isolation to an LRU is a Space Station goal. As shown in Figure 4-1, 
fault isolation testing is initiated when malfunction indications cannot be directly 
related to a failed LRU. The integrated test functions associated with fault isola- 
tion are localizing a malfunction to a subsystem or to an explicit interface between 
two subsystems and identifying the subroutine test necessary for LRU isolation. 

In structuring this relationship between integrated subsystem tests for fault local- 
ization and subroutine tests for fault isolation, the DMS, in conjunction with the 
test procedure documentation, must establish an effective man-machine interface 
so that in the event of an unsolved malfunction the crew will be able to help evalu- 
ate the condition and determine other test sequences necessary to isolate the 
problem. To accomplish this requirement, the DMS must be capable of displaying 
test parameters and instructions in engineering units and language and be capable 
of referencing these outputs to applicable documentation or programs that correl- 
ate test results to corrective action required by the crew. 
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Section 5 


ONBOARD CHECKOUT TEST DEFINITIONS 
5. 1 SUBSYSTEM TEST DEFINITIONS 


The on-orbit tests required to insure the availability of the Space Station 
subsystems are defined herein. Also delineated are the measurement and 
stimulus parameters required to perform these tests. Two discrete levels of 
testing are defined, i. e. , continuous status monitoring tests for fault detection of 
critical and noncritical parameters, and subsystem fault isolation tests for 
localization of faults to a specific Line Replaceable Unit. In addition to these two 
levels, tests are defined for periodic checkout and calibration of certain units, 
and parameters requiring analysis of trends are defined. 

Due to the software module approach to DMS checkout, it was deemed 
necessary to estimate the CPU time and memory required to implement these 
modules along with an assessment of the services required from an Executive 
Software System to control the checkout. 

These test descriptions, measurement, and stimulus information provided 
for each subsystem, and the software sizing information provided for the Data 
Management System provide the data required to estimate the checkout impact 
on the DMS software and hardware. Table 5-1 is a summary of the measurement 
and stimulus requirements for the Space Station. 


The Guidance, Navigation and Control (GN&C) Subsystem operates in a 
closed-loop mode with the Data Management and Propulsion Subsystems as 
elements of the loop. Normal operation is fully autonomous. Station attitude, 
position, and rate information are derived by the DMS from the GN&C sensors 
such as star trackers, horizon sensors, gyros, and accelerometers. Reaction 
controls are then computed by the DMS and transmitted to the propulsion 
thrusters. GN&C operation is thus closely integrated with both of these other 
subsystems. Operation is also influenced to a high degree by external factors 
such as shifts in vehicle mass, drag, and center of gravity and by disturbances 
such as docking impacts. These factors must be accounted for in performing 
checkout and fault isolation tasks. 
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Table 5-1. Measurement/Stimulus Summary 



5.1.1 STATUS MONITORING 


Fault detection within the GN&C Subsystem is accomplished primarily by 
monitoring of selected performance parameters and comparing the resulting 
measured or computed values with predetermined limits and/or against parallel 
redundant parameters. The parameters to be monitored in this manner are listed 
in the Status Monitoring column of Appendix 1-1, Task 1 Final Report. Precise 
sampling intervals are not required. Detection of an out-of-limit condition results 
in immediate notification of the crew. In the case of critical parameters or where 
otherwise deemed desirable, an automatic fault isolation routine is automatically 
initiated to identify the faulty LRU. Otherwise, initiation of further action is a crew 
option. 

Fault detection procedures must be conditioned where necessary to account 
for external disturbances. For example, leakage or venting from the Station will 
cause a response to the subsystem similar to that of a failed open reaction jet. A 
change in the Station configuration, such as that due to docking or undocking of 
experiment or crew cargo modules will result in subsystem performance pertur- 
bations which can be interpreted as faults unless these events are accounted for in 
the subsystem logic. 

Sixteen caution functions have been identified for the GN&C Subsystem. 

These are the bearing temperature and vibration monitors for the CMGs. 

5.1.2 TREND ANALYSIS 

Certain of the GN&C performance parameters are amenable to trend analysis 
for detection of degradation or pending failure. These are identified in the Trend 
column of Appendix 1-1, Task 1 Final Report. Included are gyro and accelerometer 
temperatures, laser transmitter power and CMG spin rate, temperature, and vibra- 
tion. Trend data of another type is required on the frequency and duration of high 
thrust reaction jet firing. This data is necessary to determine actual versus 
scheduled energy requirements and fuel consumption. 

5.1.3 PERIODIC CHECKOUT AND CALIBRATION 

Since most GN&C faults are detectable by operational monitoring, periodic 
checks are performed primarily to ascertain that qualitative performance param- 
eter degradations which are not obviously detectable have not occurred, and to 
detect failures in inactive or standby equipment. Calibration is a subtask of the 
periodic checkout and will be conducted during the periodic event. Checkout 
intervals are nominally once per month based on predicted performances of the 
components. The horizon detectors for artificial-g operation, star trackers for 
inertial orientation, and rendezvous and docking trackers are used infrequently 
and will require function testing prior to the respective events. The automatic 


5-3 



landmark tracker, which is a new flight item, is checked once per week for the 
first year when it is being flight tested. After the first year, it is checked once 
per month, as is the rest of the subsystem. 

Checkout utilizes preprogrammed checkout routines and employs the tech- 
nique of introducing calibrated stimuli at the first practical point in the forward 
path of the GN&C loop and monitoring subsequent downstream points for checks 
and calibration. Most of the downstream monitoring points are operational data 
interfaces with the DMS and DMS-computed data, such as attitude or position 
errors. The test sequence therfore begins with verification, through self-diag- 
nostic routines, of the DMS software and DMS /GN&C interfaces. This is followed 
by verification of the sensor electronics and data buffers and of the sensors them- 
selves. The final portion of the sequence checks the reaction control elements of 
the subsystem, including the CMGs and the jet drivers. 

5.1.4 FAU LT ISOLATION 

All stimulus and measurement parameters are utilized for fault isolation. 

As indicated previously, fault detection is accomplished through direct measure- 
ment of these parameters or through DMS computations based upon these measure- 
ments. The DMS-computed fault detection is generally at the system level and is 
in terms of excessive attitude, position, or instrument pointing errors. The 
directly detected faults, such as excessive CMG bearing temperature, are general- 
ly more component or assembly oriented. In either case, the fault isolation function 
involves systematic analysis of the fault indicators and associated functions using 
the normal operating input/output relationships plus special test stimuli where 
necessary. Applicable portions of the periodic checkout routines are used. 

Since fault isolation is to the LRU level, some of the more familiar com- 
ponent monitor parameters are omitted from the stimulus/measurement list. An 
example is the spin rate monitor of the instrument gyro. This is an often monitored 
function in many applications but in this instance, the gyro performance is verified 
by the response to a command torquing signal which checks the gyro as an overall 
transfer function. If the response is out-of-specification, then the gyro as an LRU 
will be replaced regardless of whether it was the spin rate, signal generator, 
torquer scale factor, or any other fault which cause the deviation. 

A typical test and fault isolation routine is diagrammed in Figure 5-1. This 
routine involves the Laser Rendezvous Tracker, which is used to acquire and 
track docking targets. The device transmits a coherent parallel pulsed light beam 
and detects energy returned from a passive reflector on the target vehicle. Course 
pointing of the beam is achieved by mechanical gimbals, while fine pointing is 
achieved by a piezoelectric beam deflector and optical deflection amplifier. The 
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Figure 5-1. 
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device provides angles, range, and range rate as outputs. Three LRUs are in- 
volved, these being the tracker head, the gimbal assembly, and the electronics 
assembly. The tracker head includes an optical self -test mode which allows a 
portion of the transmitted pulse to be reflected back into the receiver. 

The test sequence shown in Figure 5-1 assumes that no actual target is 
available. The test is therefore not 100 percent complete in that the actual beam 
pointing accuracy cannot be verified. 

5.2 INTEGRATED TEST DEFINITION 

The task of ensuring overall Space Station availability is primarily dependent 
upon the proper structuring of individual subsystem tests. The ability to test the sub- 
systems independent of other subsystems is directly related to the number and types 
of interfaces. As shown in Figure 5-2, the DMS and Electrical Power Subsystems 
(EPS) interface with every other Space Station subsystem. In addition, the EC/LS 
Subsystem provides cooling to most of the electronic packages. This situation 
demands that in constructing the test for a subsystem these interfaces be taken 
into account so that erroneous or ambiguous test results will not be obtained. In 
other words, before detailed subsystem fault isolation tests are initiated, a 
higher level of testing should be performed to verify that all interfaces and 
Space Station conditions that influence the subsystem are proper. Properly 
designed, these higher -level tests will (1) indicate what Space Station conditions 
must be verified, maintained, or changed; (2) localize the malfunction to a single 
subsystem; and (3) identify the subroutine test necessary for fault isolation. 

Since the DMS interfaces with all of the Space Station subsystems and is 
used as the OCS, it would appear that all of the tests would be integrated. How- 
ever, this is not a proper interpretation. When the DMS is used to verify the 
performance of another subsystem, it must first establish itself as a test standard 
against which the subsystem parameters are compared. Subsequent to this veri- 
fication, the test is dedicated to the evaluation of the subsystem. This test would 
be considered as an independent test since the objective of the test was to verify 
the subsystem and not the DMS. For a test to be considered as an integrated test 
it must meet one or more of the following conditions: 

• Test objectives associated with more than one subsystem 

• Test involves subsystem interfaces 

• Test requires proper operation of other subsystems 
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In several cases, the DMS must simultaneously perform the dual role of 
OCS and functional elements. As an example, the DMS has a functional interface 
with the GN&C and Prop Subsystems for the computation of guidance equations and 
the execution of commands to the control actuators. When this functional closed 
loop is being tested, the DMS must, in addition to performing its normal functions, 
execute the test routine. For this type of integrated test there must be an intrinsic 
relationship between the operational and test software. This relationship must be 
carefully considered in structuring the integrated tests since unstable or inter- 
mittent performance may be detected only in the exact operating mode under 
closed-loop conditions. The number of integrated tests is not extensive due to the 
approach of minimizing the different types of interfaces between Space Station sub- 
systems. For example, interfaces between the DMS and other subsystems are 
largely standardized. As a result, relatively common tests can be designed for 
verification of the multitude of DMS subsystem interfaces or for localization of a 
fault to one side of a DMS subsystem interface. All special integrated tests that 
have been identified are discussed in the following paragraphs. The GN&C/DMS/ 
PROP configuration for navigation and attitude control poses the most difficult 
problem for on-orbit testing so it is presented in significant detail. Other inte- 
grated tests are summarized. 


5.2.1 GN&C/DMS/PROP 
5. 2. 1.1 Block Diagram 

Figure 5-3 shows the block diagram for the GN&C/DMS/PROP Subsystems 
as configured for the zero g, horizontal mode of operation. The subsystems are 
shown at the LRU level with all primary functional interfaces. For simplicity, 
prime power inputs, cold plate interfaces, and mechanical or fluid connections 
are not shown. 
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5. 2. 1.2 Functional Description 


The GN&C Subsystem accommodates both the artificial -g and zero-g opera- 
tions of the Space Station. In the zero-g mode of operation, the GN&C Subsystem 
provides autonomous navigation, rendezvous command, traffic control, automatic 
docking, and stabilization and control of the Space Station. 

The autonomous navigation scheme utilizes the stellar inertial reference 
data and the automatic landmark tracker augmented with the drag accelerometer. 
The navigation is accomplished by automatically tracking known and unknown land- 
marks several times each orbit. The landmark is similar in operation and mech- 
anization to a gimballed star tracker. The drag accelerometer accounts for 
anomalies due to Space Station orientation and docked module changes which 
contribute to navigation errors. 

Both ground tracking and onboard subsystems will provide the navigation 
information for the first year or so of the Space Station Program. The ground- 
generated data will be transmitted onboard for evaluation of the autonomous 
navigation system performance. As the confidence in autonomous operation is 
increased through this parallel operation, the ground tracking is to be phased out. 

In all operating modes and orientations, the gyros provide the high-frequency 
rate and attitude information necessary to supplement the data from the stellar 
sensors and the horizon sensors. 

A more accurate Earth -centered reference is obtained in the horizontal 
orientation through the use of the strapdown star sensors. The star sensors pro- 
vide the long-term, drift -free inertial reference data while the gyros provide the 
short-term, high-frequency attitude and rate information. The passive star sen- 
sors are used while the Space Station is maintained in an Earth -centered 
orientation. The constant rotational rate required of the vehicle to maintain this 
type of orientation provides the scanning motion for the star sensors, which are 
completely passive and provide no tracking or scanning capability of their own. 
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Figure 5-3.. 


GN&C/DMS/PROP Configuration for Zero-G Horizontal Mode 
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The sensors themselves provide inertial attitude data which is transformed into 
Earth-centered attitude information by use of the navigation parameters. By this 
method, both inertial attitude and Earth-centered attitude are derived from the 
passive star sensors while the vehicle is in the horizontal or other Earth-centered 
orientation. This Earth-centered orientation is considered to be most responsive 
to experiment and subsystem requirements. 

Primary attitude control actuation is provided by control moment gyros 
(CMGs). A CMG configuration utilizing four double -gimballed CMGs, each having 
a momentum capacity of 1, 100 ft -lb-sec, was selected for the isotope/Brayton- 
powered Space Station. Both High and Low-Thrust Propulsion Systems are 
utilized by the GN&C Subsystem for CMG desaturation and backup attitude control 
capability. The reaction jet control buffer provides the interface with the 
Propulsion Subsystem. 

The DMS provides the link between the sensors, which are used to determine 
the vehicle angular position, and the actuators, which are used to maintain or 
change the vehicle angular position. The use of the DMS provides the flexibility 
required during both the development and operational phases to accommodate the 
total Space Station Program objectives. The DMS performs the data processing 
necessary for all guidance, navigation, and attitude control functions. The inter- 
face electronics controls the flow of information from the sensors to the DMS and 
converts all sensor inputs to a standardized format before the inputs are trans- 
ferred. The interface electronics performs a similar function for output informa- 
tion from the DMS to the control actuators. 

5. 2. 1. 3 Test Flow 

The test flow for the GN&C/DMS/PROP configuration is shown in Figure 
5-4. . The flow demonstrates the technique for malfunction detection, subsystem 
localization and fault isolation to the LRU. For simplicity some tests associated 
with prime power, mode commands and cold plate temperatures are omitted. It 
is assumed that in programming the actual tests these types of measurements will 
be implemented as standard procedure. In the same vein, detailed tests of the 
DMS are not shown. Again, it is assumed that the final procedure would contain 
the necessary self -test, command verification, and other checks to maintain 
confidence in DMS performance throughout the test. 

Many of these test sequences will be repeated for different channels of data 
or for identical sets of equipment. The test flow does not show the repetition of 
these tests but indicates the need for them. For example, there are four control 
moment gyros (CMGs). The flow shows a typical test for one CMG. It should be 
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Figure 5-4.. GN&C/DMS/PROP Integrated Test Flow (Sheet 1 of 4) 
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Figure 5-4. GN&C/D MS/PROP Integrated Test Flow (Sheet 2 of 4) 
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Figure 5-4. GN&C/DMS/PROP Integrated Test Flow (Sheet 3 of 4) 






















Figure 5-4. GN&C/DMS/PROP Integrated Test Flow (Sheet 4 of 4) 
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pointed out that although the detail test sequence will be identical for all CMGs, 
the absolute value of the parameters such as torque commands, gimbal position, 
gimbal, rates will be different for all CMGs. In some cases, the test flow ter- 
minates in an instruction for the DMS to check data transfer. This instruction 
is intended to include all operations necessary to verify that the DMS is function- 
ing as required to support the operational and test routine. 

5.2.2 GN&C/DMS/COMM 

The DMS has a functional interface with the GN&C and COMM Subsystems 
for the pointing and control of antennas. The GN&C sends navigation and attitude 
information to the DMS which in turn uses it to compute antenna pointing positions 
and slewing rates. Once computed, the DMS transfers these commands to the 
antenna actuators in the Communication Subsystem. 

Localizing a malfunction to one of the three subsystems will be performed 
in a manner similar to that described in subsection 5.2.1. The DMS will verify 
receipt of proper attitude and navigation data from the GN&C Subsystem, check 
its capability to operate on and transform the data into appropriate antenna 
commands, and verify the transmission of the control data to the Communication 
Subsystem. Verification of proper response and operation of Communication Sub- 
system equipment will be aided by the switching and use of redundant transmitters 
and receivers. 

5.2.3 GN&C - PROPULSION SUBSYSTEM INTERFACE 

The Guidance, Navigation, and Control (GN&C) Subsystem operates in a 
closed- loop mode with the DMS and Propulsion Subsystem as elements of the loop. 
Electrical signals to activate appropriate Propulsion Subsystem high thrusters 
are provided by the GN&C jet drivers based upon control information computed 
by the DMS. Although the interface between the DMS and the GN&C is fairly 
complex, the GN&C - Propulsion Subsystem interface is not, and can easily be 
incorporated into tests defined for the Propulsion Subsystem. 
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Section 6 


SOFTWARE 


6.1 GENERAL CONSIDERATIONS 

The recommended software checkout startegy involves a sequence of 
detecting faults, isolating faults to a failing LRU or LRUs, and reconfiguring the 
system to continue operation while the failures are being repaired. 

This recommendation was developed by evaluating each subsystem with 
respect to the three general requirements of fault detection, fault isolation, and 
reconfiguration. 

Fault detection incorporates both the recognition of failure occurrence, and 
the prediction of when a failure can be expected to occur. The Remote Data 
Acquisition Units (RDAUs) continually check selected test point measurements 
against upper and lower limits, and notify the executive on an exception basis when 
a limit is exceeded. This approach avoids occupying the central multi-processor 
with the low-information task of verifying that measurements are within limits. 

Trend analysis is a fault detection technique recommended for predicting the 
time frame during which a failure can be anticipated. Data is acquired on a basis 
of time or utilization, and compared with previous history to determine if a "trend" 
toward degraded performance or impending failure can be detected. 

Another checkout requirement evaluated for each subsystem is periodic 
testing. This type of test is provided to exercise specific components at extended 
time intervals or prior to specific events, to assure operational integrity. In the 
event that a failure is detected, the periodic test will isolate to the failing Line 
Replaceable Unit (LRU) and accomplish recertification after a repair operation. 

Calibration of specific subsystem components will be required periodically, 
or subsequent to a repair and/or replace operation. The techniques involved are 
unique to the individual component; and, in some cases, require the acquisition of 
operational data. 

Fault isolation is required when a fault is detected. When a particular fault 
provides an indication that a life critical failure has occurred, the fault isolation 
routines are automatically initiated. If the failure does not represent an immediate 
danger to the vehicle occupants, the crew is notified and they will initiate the fault 
isolation modules at their convenience. 
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The basic requirements of the fault isolation function is to analyze the avail- 
able information relevant to a problem, and identify the LRU which is responsible 
for the anomaly. 

Three basic approaches to meeting this requirement were considered. These 

are: 

• Analyze each fault as an independent problem 

• Analyze each fault with a state matrix which defines the possible error 
states of the subsystem 

• Associate each fault with a specific subsystem, and evaluate that 
subsystem in detail 

The third approach was selected on a basis of software commonality and cost 
effectiveness. The complexity associated with the testing can be reduced by locali- 
zation of the logic associated with the analysis of the subsystem in a unique package. 
The software commonality will result in reduced software development and main- 
tenance costs, while increasing the reliability of the software. 

The fault isolation software is structured modularly for compatibility with 
the hardware structure of the subsystem. Checkout modules evaluate the per- 
formance of a specific portion of the subsystem. A convenient division for this 
modular structure is at the assembly level or functional area. A program module 
which can determine and control the sequence in which these checkout modules are 
executed is also required for each subsystem. 

Subsequent to fault detection, the software associated with the subsystem 
which is most likely to contain the error will be activated. 

The subsystem software will analyze the error indication, and initiate a 
sequence of checkout modules to isolate the problem. If successful, the crew is 
notified regarding the Line Replaceable Unit (LRU) to be replaced. If an error 
cannot be identified, the crew is informed of the situation and has an option to 
execute the periodic test of the subsystem. 

After a fault has been isolated, reconfiguration software restores the 
functional capability of the subsystem. This is most commonly accomplished by 
exchanging a redundant element for the failing unit, or by defining an alternate 
path to accomplish the required function. 

The Task 2 Final Report of the basic onboard checkout techniques study 
provides descriptions of the software requirements, definitions and design in 
addition to detailed flow charts of specific checkout routines. 
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6. 2 SPACE STATION SUBSYSTEM 


The Guidance, Navigation and Control (GN&C) Subsystem checkout programs 
are used to monitor GN&C Subsystem test points in order to verify the proper 
operation of the functional assemblies of which it is made. Cognizance is taken 
of the mode of the GN&C Subsystem by utilizing data prepared by the GN&C 
Application Programs. When a fault indication is detected, isolation is performed 
by logically combining the measurements taken from test points of the subsystem. 
Fault detection is initiated and performed without crew assistance. This does not 
preclude crew control, however, since a test module may be initiated from the 
display console keyboard or by ground command at any time. In addition, the rate 
at which the monitoring modules are initiated may be altered in a similar manner. 

The functions identified are those for fault detection, fault isolation, trend 
analysis, reconfiguration, and calibration. They are implemented in a combination 
of hardware, multi-level executive, and high-level language programs. The 
modular programs and executive services are multi-purposed and can be invoked 
by the crew, ground personnel, or other programs. 

The GN&C Checkout Programs provide for fault detection, trend analysis, 
fault isolation, reconfiguration, and calibration by a combination of executive 
services, high level language programs, and coordinated hardware utilization. 

The modules used for fault isolation, reconfiguration, and calibration are 
capable of being initiated by crew, ground, or another module. Before proceeding 
on an analysis of subsystem test points, the subsystem mode is ascertained in 
order to determine which analysis modules should be employed and how the 
analysis should be performed. Checkout module performance is valid whether 
initiated as a result of an RDAU limit check, a crew of ground command, or by 
the Pacer (a software module which automatically initiates programs at a pre- 
scribed rate). A diagram of the Guidance, Navigation and Control Subsystem is 
shown in Figure 6-1 . 

Figure 6-2 reflects the functional breakdown of the subsystem and the 
hierarchical relationship which exists between the various assemblies. 
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Figure 6-1. Guidance, Navigation and Control Subsystem 
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Figure 6-2. GN&C Subsystem Assembly Configuration 
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The GN&C Checkout Program structure is outlined in the following chart: 


MASTER EXECUTIVE 



All functions are initiated as independent modules by the master executive 
program. When a module requires another program to be executed, it requests 
this of the master executive. 
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6. 2. 1 SYSTEM REQUIREMENTS 


The GN&C System requires that trend analysis be performed and used as a 
fault detection method. In addition, interface with crew and ground is required 
upon detection of an unfavorable trend, so that potential resupply aspects can be 
considered. Operational data will be used where appropriate for checkout purposes. 

The GN&C Checkout Programs are written in a high level language so that 
development and alteration by professionals other than programmers will be 
feasible. The programs will interface with a multi-level executive, the lowest 
level of which will also serve non-checkout programs. Upper levels of the execu- 
tive will perform services unique to the checkout mission. 

Note that interface between the Data Management Subsystem and the GN&C 
Subsystem (see Figure 6-3) is accessed only through the Master Executive. 
Checkout programs may interface either directly or indirectly with an executive 
level. 


Fault detection will be accomplished by hardware under the control of 
software, by GN&C application programs, and by trend analysis programs. The 
most common method will be hardware under control of software. Limits are 
stored in the memory of the Remote Data Acquisition Units (RDAUs) which con- 
tinuously check test points, and interrupt the multiprocessor if an out -of -limit 
signal is received. The rate at which the RDAU checks limits meets or exceeds 
the highest rate requirement for fault detection sampling. 

While continuous orbital monitoring will be performed by RDAU hardware 
under software executive control, periodic checks will be performed by using the 
same modules employed during fault isolation. 

6. 2. 2 OPERATIONAL REQUIREMENTS 

The GN&C checkout modules are required to perform caution and warning, 
trend analysis, calibration, fault isolation to the LRU level, and reconfiguration 
of the GN&C Subsystem with a modular design which allows employment of various 
program modules in a variety of configurations upon initiation by RDAU interrupt, 
crew, ground, Pacer, or other programs. The fault detection control and trend 
analysis functions are implemented by extensive use of executive modules. The 
higher level language is used for the fault isolation, reconfiguration, and calibra- 
tion functions with executive support in the areas of mode analysis and data base 
management. 
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Figure 6-3. Executive and Subsystem Interfaces 


6. 2.2.1 Fault Detection Function 

Since the fault detection function is operationally implemented in the RDAU 
hardware, this section discusses the control of the RDAU limit check feature. 

The contents of RDAU memory must be redundantly maintained in auxiliary storage 
so that the secondary RDAU may be initialized if the primary fails. 

Input to the fault detection control function consists of the command to change 
RDAU limits, a mode table, and a limit table. Output consists of the mode table, 
limit table, the RDAU memory, and displays. 

Information processing takes place in the OCS Executive, and consists of 
changing the RDAU channel mask to enable or disable interrupts caused by out-of- 
limit signals, changing the limits, and updating the mode and limit tables accord- 
ingly. The extensive involvement with executive table formats makes implementation 
as an executive service more attractive than implementation in a higher-level 
language. 
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Limit check specifications are made regarding a symbolic test point address. 
The fault detection control function translates this into specific RDAU memory 
changes for both the primary and secondary RDAUs. In doing so, it must reference 
the symbolic address translation, configuration, and RDAU memory tables. 

A flowchart of the fault detection control function is shown in the Task 2 
Final Report. 

6. 2. 2. 2 Fault Isolation Function 

Primary logic control of isolation programs is accomplished by the language 
TOOL. Those services and functions which are common to fault isolation in other 
subsystems are provided as executive services. 

Input to the fault isolation function consists of RDAU interrupts, crew initia- 
tion, initiation by other programs, the symbolic address of the test points, test 
point measurements, data being managed by application programs, and the mode 
table. 


Output from the fault isolation function consists of stimuli, commands, 
displays, mode table, and parameters for the reconfiguration module. 

Fault isolation processing consists of determining whether the mode of the 
assembly allows the test to proceed, allowing a mode change if necessary, eval- 
uating the interfaces supplied to the assembly under test, and evaluating the LRUs 
of the assembly. LRU evaluation involves an examination of interfaces, similar to 
that done for the next higher assembly; consequently, the order in which LRUs are 
tested is important. The modules are designed to provide verification on an as- 
required or periodic basis, such as just prior to artificial G mode. 

Of particular importance in the isolation of failed Line Replaceable Units 
(LRUs) is the examination of interfaces between the assembly under analysis and 
other assemblies. In Figures 6-4 through 6-6, examples of interfaces which are 
important during fault isolation are shown. Prior to evaluating the performance of 
any assembly, it is necessary to make sure that its supporting interfaces are 
within tolerance. The approach required for GN&C fault isolation, showing the 
relationship between the mode, interface, and assembly analyses appears in 
Figure 6-7. 

Information reflecting the attributes of fault isolation modules for each GN&C 
Subsystem assembly appears in Table 6-1. 
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Figure 6-4. LRU Interface Diagram Horizon Detector Assembly 
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Figure 6-5. LRU Interface Diagram, Attitude Gyro Assembly 
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Figure 6-6. LRU Interface Diagram, Horizon Sensor Assembly 
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Figure 6-7. General Fault Isolation 
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Table 6-1. Fault Isolation and Periodic Check Requirements 



In preparing the table, the following considerations were applied to the fault 
isolation for each assembly: 

• Is exclusive control of the assembly under analysis required, thus 
precluding operational use during fault isolation? 

• Is the status of the assembly altered during analysis? 

• Is it necessary to make use of data which is managed by application 
programs ? 
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• Must the application data be altered? This consideration is mutually 
exclusive of the one immediately above. 

• Is it necessary to make use of data maintained by the executive ? 

• Must the executive data be altered? (Mutually exclusive) 

• Is it necessary to cycle the assembly through various modes of operation 
during fault isolation? 

• Are stimuli required during analysis? 

• Are digital readings used, as contrasted with analog or bi-level? 

• Is the sequence in which the LRUs of the assembly are examined 
important ? 

Fault isolation examples for the horizon detector, attitude gyro, horizon 
sensor, star sensor, star tracker, and rendezvous tracker are shown in Figures 
3-21 through 3-30 of the Task 2 Final Report. 

6. 2. 2. 3 Trend Analysis Function 

Trend analysis is used on selected GN&C parameters for the detection of 
degraded performance or impending failure. 

Input to the trend analysis function consists of RDAU interrupts, measure- 
ments, the Pacer, and real time. Output consists of caution and warning displays, 
trend table data, and fault isolation parameters. 

The parameter is measured and the time of measurement is obtained. These 
values are combined with a pre -determined number of previous values to form a 
set of X-Y coordinates which could be plotted on a graph depicting parameter value 
versus time. Exponential smoothing of the data is performed, and extrapolation 
estimates are calculated to determine if the trend is approaching a caution or 
warning condition; if prior to the next measurement cycle the parameter will be 
out of limits, or that a failure may occur for the LRU between resupply event i and 
resupply event i+1. 

Trend analysis modules exist for each of the following GN&C Subsystem 
assemblies: 

• Attitude Gyro 

gyro case temperature 
gyro heater voltage 
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• Accelerometer 

accelerometer temperature 
accelerometer heater voltage 

• Laser Rendezvous Tracker 

tracker transmitter power monitor 
tracker receiver energy monitor 

• Laser Docking Tracker 

tracker transmitter power monitor 
tracker receiver energy monitor 

• Jet Driver 

driver inputs 

• Control Moment Gyro 

spin power monitor 
vibration monitor 
bearing temperature monitor 
vacuum monitor 

The following trend analysis methods are utilized by GN&C checkout: 

• Integration, with respect to time over a fixed time interval, and 
comparison of the integral with a fixed limit. This method is 
employed with the attitude gyro and accelerometer assemblies. 

• An average of N samples taken during a particular phase of operation, 
with the average compared to that acquired previously. This method 
is employed with the laser rendezvous tracker and docking tracker 
assemblies. 

• A count of the number of operations over a fixed time interval and 
comparison with a fixed limit. This method is employed with the jet 
driver assembly. 

• Periodically sample for a time interval which is small compared to the 
period. This method is employed with the control moment gyro assem- 
bly. The samples are averaged, adjusted for trend, and used to calcu- 
late the estimated time of failure, if any. 
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Figures 3-31 through 3-34 of the Task 2 Final Report contain logic flow- 
charts for the time integration, moving average, operations count, and periodic 
sample methods of trend analysis employed for the GN&C Subsystem. 

6. 2. 2. 4 Reconfiguration Function 

The reconfiguration function keeps track of the use of primary and redundant 
assemblies by using symbolic assembly identification. This implies that the appli- 
cation programs reference assemblies using the same symbology. 

Inputs consist of the symbolic identity of the failed LRU, the configuration 
table, and the mode table. Identification of the LRU may come from the crew, 
instead of from the fault isolation function. 

Outputs consist of changes to the configuration table, changes to the mode 
table, crew displays, mode commands, and parameters to the calibration function. 

Information processing consists of changing the modes of both the replaced 
and the replacement assemblies, and updating the configuration table to show the 
relationship with the next higher and next lower assemblies. The interchanged 
assemblies are commanded to change modes as appropriate; and the mode table is 
changed to reflect the status in preparation for future fault isolation activities. 

The reconfiguration function of GN&C checkout is concerned with alterations 
to the GN&C Subsystem, and the data base alterations necessary to track these 
changes. Therefore, a combination of mode commands and table maintenance 
activities are involved. The function involves extensive use of executive services 
for data base management, while utilizing bi-level and digital stimulus points in 
order to activate/de -activate the LRUs involved in reconfiguration. 

If the spare is installed, reconfiguration can be accomplished automatically. 

If a spare is not available, the status of the containing assembly is altered to re- 
flect the fact that it is disabled. If the spare is on board, but requires crew action, 
notification of a failure rate monitor may take place in order to ensure that the 
repair rate will exceed the failure rate. 

The logic flow for the reconfiguration function is shown in Figure 6-20. 

6. 2. 2. 5 Calibration Function 

Calibration may be employed periodically after repair, or as a result of 
replacing a failed assembly. The techniques involved are unique to the individual 
assemblies, and in some cases involve the acquisition of data managed by applica- 
tion programs. 
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Figure 6-20. Reconfiguration 
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Input to the calibration function consists of parameters supplied by the crew, 
information passed by the reconfiguration function, calibration tables, and operational 
data. Output consists of changes to the operational data tables and crew communica- 
tion. 


Information processing includes the employment of other functional GN&C 
assemblies for reference purposes, and changing the calibration references for 
application programs. As an example, a reading of 3. 27 volts may correspond to 
a zero degree reference for the new assembly; whereas for the assembly which 
failed, a reading of 2. 98 volts was the zero reference for the replaced assembly. 

The calibration function is concerned with the data base management involved 
when an LRU is replaced by crew action, as well as the stimuli and crew inter- 
action which may be involved in actual calibration of certain GN&C LRUs. The 
calibration function is, therefore, used during replace operations; whereas the 
reconfiguration function discussed above is concerned with remove operations. 

The calibration function may be invoked by the crew, or automatically by 
the reconfiguration function for certain installed spares. 

The logic flow for the calibration function is shown in Figure 6-21. 

6. 2. 3 INTERFACE REQUIREMENTS 

The GN&C checkout program requires services of, and is initiated by, the 
Executive program. Any interfaces to other programs, or data managed by other 
programs, is obtained through the executive. When crew or ground initiation is 
required, this is done with the executive serving as an interface. 

The checkout function interfaces are shown in Figure 6-22. The Caution and 
Warning function examines a test point criticality table for each measurement 
detected to be out of limits, and provides required notification on the appropriate 
display. This function is performed by the OCS Executive which receives control 
from the interrupt handler of the Master Executive, from a trend analysis module, 
or from an application program. 

The OCS Executive is also involved during fault isolation in an analysis of the 
mode of the assembly to be tested, and an analysis of the modes of the interfacing 
assemblies. 

Detailed interfaces between GN&C Checkout Program functions and specific 
Data Management Subsystem (DMS) elements and tables are shown in Figures 3-38 
through 3-42 of the Task 2 Final Report. 
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Figure 6-21. Calibration 
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Figure 6-22. GN&C Checkout Function Interfaces 
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Section 7 


MAINTENANCE 


There are two aspects of maintenance which entered into the basic study. 
Basic maintenance concepts were provided as part of the baseline resulting from 
the Phase B Space Station study; they are discussed in subsection 7. 1 below. 
Additionally, one of the study tasks was aimed at implementation of an onboard 
electronics maintenance capability. The results of that task are summarized 
in subsection 7.2. 

7.1 BASELINE MAINTENANCE CONCEPTS 


Maintenance concepts defined for Space Station subsystems are intended to 
facilitate their preservation or restoration to an operational state with a minimum 
of time, skill, and resources within the planned environment. 

7.1.1 GENERAL SPACE STATION MAINTENANCE POLICY 

It is a Space Station objective that all elements be designed for a complete 
replacement maintenance capability unless maintainability design significantly 
decreases program or system reliability. This objective applies to all sub- 
systems wherever it is reasonable to anticipate that an accident, wearout, or 
other failure phenomenon will significantly degrade a required function. Estimates 
of mean-time-between-failure, or accident/failure probability, are not accepted 
as prima facie evidence to eliminate a particular requirement for maintenance. 
Should the accident/failure probability be finite, the hardware is to be designed 
for replacement if it is reasonable and practical to do so. 

As a design objective, no routine or planned maintenance shall require use 
of a pressure suit [either EVA or internal vehicular activity (IVA)J . Where 
manual operations in a shirtsleeve environment are impractical, remote control 
means of affecting such maintenance or repairs should be examined. However, 

EVA (or pressure suit IVA) is allowable where no other solution is reasonable, 
such as maintenance of external equipment. 

Time dependency shall be eliminated as a factor of emergency action insofar 
as it is reasonable and practical to do so. This includes all program aspects of 
equipment, operations, and procedures which influence crew actions. When time 
cannot be eliminated as a factor of emergency action, a crew convenience period 
of 5 minutes is established as the minimum objective. The purpose of the con- 
venience period is to provide sufficient time for deliberate, prudent, and unhurried 
action. 
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7.1.2 ONBOARD MAINTENANCE FACILITY CONCEPTS 


In addition to OCS/DMS capabilities, other onboard maintenance support 
facilities provided on the Space Station include: 

• Special tools for mission-survival contingency repairs such as soldering, 
metal cutting, and drilling, as determined from contingency maintenance 
analyses, although repairs of this type are not considered routine main- 
tenance methods. 

• Protective clothing or protective work areas for planned hazardous 
maintenance tasks (such as those involving fuels, etc. ). 

• Automated maintenance procedures and stock location data for both 
scheduled and unscheduled maintenance and repair activities. 

• Real-time ground communication of the detailed procedures, update 
data, and procedures not carried onboard. 

• Onboard cleanroom-type conditions by "glove box" facilities compatible 
with the level at which this capability is found to be required. 

• Maintenance support stockrooms or stowage facilities for spares 
located in an area that provides for ease of inventory control and 
ready accessibility to docking locations or transfer passages. 

7.1.3 SUBSYSTEM MAINTENANCE CONCEPTS 

Space Station subsystems utilize modular concepts in design and emplace- 
ment of subsystem elements. Subsystem modularity enhances man's ability to 
maintain, repair, and replace elements of subsystems in orbit. Providing an 
effective onboard repair capability is essential in supporting the Space Station's 
ten-year life span since complete reliance on redundancy to achieve the long life 
is not feasible. The need for a repair capability, in turn, requires that a mal- 
function be isolated to at least its in-place remove -and-replace level. The level 
of fault isolation is keyed to the LRU, which is the smallest modular unit suitable 
for replacement. The identification of subsystem LRUs is addressed as a 
separate, but interdependent, part of the Onboard Checkout Study. 


7-2 



Specific subsystem maintenance concepts, of course, depend upon examina- 
tion of the subsystems. These concepts are discussed in subsequent subparagraphs. 
General subsystem-related maintenance guidelines that have been established for 
the Space Station are: 

• It is an objective to design so that EVA is not required. However, EVA 
may be used to accomplish maintenance/repair when no other solution 
is reasonable. 

• Subsystems will be repaired in an in-place configuration at a level that 
is acceptable for safety and handling, and that can be fault -isolated and 
reverified by the integrated OCS/DMS. This level of maintenance is 
referred to as line maintenance and the module replaced to effect the 
repair is the LRU. 

• A limited bench-level fault isolation capability will be provided on the 
Space Station, but is only intended for contingency (recovery of lost 
essential functions beyond the planned spares level) or for development 

purposes. Limited bench-level support is also provided in the form 
of standard measurement capabilities which are used primarily to 
reduce the amount of special test equipment required. 

• Subsystem elements, wherever practical, will be replaced only at 
failure or wearout. Limited -life items that fail with time in a manner 
that can be defined by analysis and test will be allowed to operate until 
they have reached a predetermined level of deteriorated performance 
prior to replacement. Where subsystem downtimes for replacement or 
repair exceed desirable downtimes, the subsystem will include backup 
(redundant) operational capability to permit maintenance. Expendable 
items (filters, etc. ) will be replaced on a preplanned, scheduled basis. 

7.2 ONBOARD ELECTRONIC MAINTENANCE (STUDY TASK 3) 


The objective of this task was to generate recommendations of supporting 
research and technology activities leading to implementation of a manned electron- 
ics maintenance facility for the Space Station. Early in the task it became apparent 
that attention could not be confined to a central maintenance facility; it was neces- 
sary to refocus the tai;sk to address implementation of an on-board maintenance 
capability encompassing in-place as well as centralized maintenance activities. 

The critical questions are the following: 

• What is the optimum allocation of onboard maintenance functions 
between in-place and centralized maintenance facility locations? 
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• What is the optimum level of onboard repair (i. e. , to line-replaceable 
unit, subassembly or module, piece part, or circuit element)? 

7.2.1 MAINTENANCE CYCLE 

In order to place the task in the proper context, a generalized Space Station 
electronic maintenance cycle is depicted in Figure 7-1. 

A convenient place to enter the cycle is with detection of a fault ("In-Place 
Maintenance" block). The fault is isolated to a Line Replaceable Unit (LRU). The 
affected subsystem is restored to full capability by replacing the failed LRU with an 
operable one from spares storage. 

The failed LRU is taken to a maintenance facility (assumed for the moment 
to have a fixed location in the Space Station) where it is first classified. as repair- 
able or non-repairable. Classifications will likely be predetermined, and a listing 
should be retained in the Data Management Subsystem. If the LRU is non-repairable, 
it is placed in segregated storage. If the LRU is repairable on board, the fault is 
further isolated to the failed Shop Replaceable Assembly (SRA). The LRU is then 
repaired by replacing the failed SRA with one from spares storage. The repaired 
LRU is then calibrated (if necessary), and its operation verified before it is placed 
in spares storage. 

Logistics requirements (replacement LRUs and SRAs needed) are transmitted 
to ground-based logistics support functions by RF communications and/or Space 
Shuttle. Failed units are taken away from and replacement units are delivered to 
the Space Station by the Space Shuttle. 

7. 2. 2 SUMMARY OF RESULTS 

The study confirmed and emphasized the necessity of onboard maintenance for 
any manned mission of any complexity and duration measured in months (up to 10 
years for Space Station). Formulation of recommendations for implementing such 
a capability required consideration of other topics first, and achievement of 
certain interim results. The principal conclusions of this study task are sum- 
marized below. The analyses leading to them are explained in the Task 3 Final 
Report. 

• Prior studies and developments of in-space maintenance have empha- 
sized justification of first-level (in-place) maintenance, fasteners, and 
tools for space application and human factors criteria. Much less 
attention has been devoted to test equipment, maintenance training, or 
definition of shop level maintenance requirements. 
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Figure 7-1. Space Station Maintenance Cycle 

• The baseline subsystem descriptions, checkout requirements analysis, 
and software requirements analysis indicate that approximately 60 per- 
cent of all faults (over a long period) can be isolated to the failed LRU 
automatically under software control, without crew intervention. In an 
additional 27 percent of failure cases, fault isolation to one LRU can be 
achieved by the crew using the onboard Data Management System as a 
tool. In the remaining failure cases, additional fault isolation capabili- 
ties are needed. This is a good result for a "first iteration" and can 
probably be improved considerably with a modest effort to modify stim- 
ulus and measurement provisions. 

• Crew involvement in scheduled and unscheduled maintenance (including 
participation in fault isolation) is estimated to average 7. 2 manhours per 
week over the total mission time. This estimate is most sensitive to 
equipment reliability and levels at which onboard repair is performed. 

It is affected little by the efficiency of automated fault isolation under 
control of the Data Management Subsystem (DMS). 
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• The recommended approach to maintenance in the baseline Space Static 1 
i._ in -place removal and replacement of LRUs, without attempts to repair 
LRUs onboard, if the resupply interval is less than nine months. Onboard 
spares should be LRUs. 

• For long resupply intervals or non-resupplied missions (as in a manned 
interplanetary mission), in-place maintenance should be by removal and 
replacement of LRUs. Repair of LRUs should be by removal and replace- 
ment of Shop Replaceable Assemblies (SRAs). Onboard spares should be 
SRAs. 

© The Earth-orbital Space Station should include provision for development 
of onboard maintenance capability and techniques applicable to long dura- 
tion non-resupplied missions and/or the larger, more complex Space 
Base. 

• The baseline subsystem descriptions are at such a level of detail that 
precise specification of onboard tools ana test equipment is neither 
feasible nor desirable. Anticipated needs identified qualitatively in the 
study are: (1) a portable test module to supplement software fault isola- 
tion as well as to assist mechanical adjustments and calibrator, (2) hand 
tools for removal and replacement of electronic assemblies, (3) devices 
for transporting and positioning spare assemblies, and (4) a central 
maintenance/repair bench. 

• Several tasks have been identified and recommended for future perfor- 
mance, as part of a system study/design program or as separate 
supporting research and technology tasks. The principal ones deal with 
(1) development of a portable test assembly, (2) development of a repair/ 
test bench with special provisions for small parts retention and for de- 
bris collection, (3) design for accessibility of test points and subassem- 
blies, and (4) devices for transporting equipment within the Space Station. 

The foregoing conclusions apply to the Modular Space Station as well as the 
33-foot diameter, four -deck configuration. 

The results of the study rest upon several assumptions and estimates, 
derived wherever possible from related experience. The results are not sensitive 
to small variations of the assumed or estimated values, except for equipment fail- 
ure rates, which are most influential. Furthermore, it has not been practicable to 
pursue all trade analyses to include all relevant factors. Nevertheless, the study 
has generated valid insights into Space Station onboard maintenance and useful 
visibility of the path to implementation of that capability. 
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